Business Security

Avast Business report may help explain why users are resisting Microsoft’s BlueKeep patch

Jeff Elder, 12 June 2019

Read a new report from Avast Business to find out why users are resisting an easy patch that could prevent Microsoft’s BlueKeep vulnerability from becoming a major cybersecurity incident.

One of the largest tech companies in the world, the U.S. government, and cybersecurity professionals are all fervently urging computer users to apply an easy patch that could prevent a vulnerability known as BlueKeep from becoming a major cybersecurity incident.

Why won’t users do it? New insights from Avast Business suggest an answer.

Microsoft has been imploring users to apply a patch to a vulnerability in older versions of Windows in blunt warnings since mid-May. The company warned that the BlueKeep vulnerability could cause a “wormable” cybersecurity outbreak, meaning it would require no user interaction to spread. It could “propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

For this reason, Microsoft said, “We are taking the unusual step of providing a security update for all customers to protect Windows platforms.”

Two weeks later Microsoft circled back with a warning that noted how many users were not heeding its warnings about BlueKeep. “If recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable,” Microsoft wrote to users at the end of May.

Microsoft wasn’t the only one noticing the issue. The company’s statement cited research by Robert Graham of Errata Security that warned, “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”

Last week the United States’ 30,000-employee National Security Agency took the unusual step of reinforcing the warnings. The Microsoft vulnerability “could spread without user interaction across the internet,” the NSA warned in an advisory about BlueKeep. “We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”

But how can companies, governments, and cybersecurity professionals “motivate increased protections” when warnings this stern don’t work? How many dire warnings do people need? The answer, the Avast Business psychology report notes, may be a different kind of more engaging alerts, like the airline safety videos that grab passengers’ attention.

“Repeated exposure to a security warning – particularly if we’ve ignored one before and nothing bad happened – leads to habituation,” according to the report from Avast and ORConsulting, a psychology practice for business.

Past experiences that were complicated or time-consuming can cause users to hesitate when they are urged to update software. A fuzzy understanding of what’s involved can also cause them to be reluctant. In a split-second struggle in the brain’s limbic system, avoidance conquers logic. Someone goes back to work and lets the warning fade from their mind.

How do you fix this avoidance? A different approach that includes empathy for users, framing the message, and behavioral economics may engage users better than intimidating advisories, the consultants found.

Cybersecurity pros may balk at the idea of promoting a badly needed update, but understanding people’s motivations might make a huge difference. Explaining the issue patiently, noting the user’s ability to make a difference, and creating  greater awareness and shared responsibility could go a long way.

“Using ideas like this requires creativity and experimentation, but at least they are informed by evidence about how humans actually make decisions,” the report found.

“Most small to mid-sized businesses understand how important patching is, but the simple truth is that no one likes to patch. Often the IT team is overloaded with tasks,” said Product Management Director Arne Uppheim of Avast Business. “Patching interrupts critical systems, causes a loss of productivity, and potentially even problems with other integrated systems. On the other hand, not patching exposes the business to data loss and stolen intellectual property, downtime through lengthy remediation, questionable data recovery, and ongoing reputational harm."

Small and medium-sized businesses can take action now and use our new Patch Management service to fix the BlueKeep vulnerability before bad actors get a chance to use it to attack.

Read more from the Avast Business report on user behavior that can make stopping major cybersecurity incidents harder in “Update Inertia: The Psychology Behind Patching and Updating Software.”